Solved: How to add two query results in xml dashboard?

harishalipaka · ‎03-15-2019

Hi All,

I am giving a dummy dashboard based on this i will explain what i want..

<form>
  <label>test_hari</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="field1">
      <label>field1</label>
    </input>
    <input type="dropdown" token="field2">
      <label>field2</label>
    </input>
    <input type="time" token="time1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>vot</title>
        <search id="votquery">
          <query>index="_internal" |stats count as vot by action, host</query>
          <earliest>$time1.earliest$</earliest>
          <latest>$time1.latest$</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>LT</title>
        <search id="ltquery">
          <query>index="_internal" |stats count as LT by host</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

O had two tables VOT , LT

And i want another table with Total=VOT+LT

Note:- I don't want to use join or append those two queries.like query1 |append [search query2]
I need to pass two tokens from dropdown So i can't use init on the page load,Just i want to store those query results .
Once that query1 executed just i reuse those results only i dont want to run again and again..

please help me for this ,thanks in Advance.

Thanks
Harish

kamlesh_vaghela · ‎03-15-2019

@harishalipaka

loadjob might help you to combine results from multiple panels and populate 3rd panel.

Ref: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/loadjob

Can you please check below example?

<dashboard>
  <label>Sample Dashboard</label>
  <row>
    <panel>
      <title>Panel 1</title>
      <table>
        <search>
          <query>| makeresults count=10 | eval no=1 | accum no</query>
          <finalized>
            <condition>
              <set token="JobSid1">$job.sid$</set>
            </condition>
          </finalized>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <title>Panel 2</title>
      <table>
        <search>
          <query>| makeresults count=10 | eval no=5 | accum no</query>
          <finalized>
            <condition>
              <set token="JobSid2">$job.sid$</set>
            </condition>
          </finalized>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| loadjob $JobSid1$ | append [ | loadjob $JobSid2$ ]</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

Thanks

View solution in original post

kamlesh_vaghela · ‎03-15-2019

@harishalipaka

loadjob might help you to combine results from multiple panels and populate 3rd panel.

Ref: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/loadjob

Can you please check below example?

<dashboard>
  <label>Sample Dashboard</label>
  <row>
    <panel>
      <title>Panel 1</title>
      <table>
        <search>
          <query>| makeresults count=10 | eval no=1 | accum no</query>
          <finalized>
            <condition>
              <set token="JobSid1">$job.sid$</set>
            </condition>
          </finalized>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <title>Panel 2</title>
      <table>
        <search>
          <query>| makeresults count=10 | eval no=5 | accum no</query>
          <finalized>
            <condition>
              <set token="JobSid2">$job.sid$</set>
            </condition>
          </finalized>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| loadjob $JobSid1$ | append [ | loadjob $JobSid2$ ]</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

Thanks

harishalipaka · ‎03-15-2019

hi @kamlesh ji

that is fine,but am getting this error Error in 'SearchOperator:loadjob': Artifacts are unavailable because the job (job_id='byd_line0_admin_YnlkX2xpbmUwX2FkbWlu_YnlkX2xpbmUw__search9_1552645537.487912_8303C2C4-C724-4485-878E-DA1E31862275') is still running.

In my case those search will take more time

Thanks
Harish

kamlesh_vaghela · ‎03-15-2019

@harishalipaka

Can you please change <finalized> with <done> and try again?

harishalipaka · ‎03-15-2019

yes @kamlesh_vaghela ji,

i am also tried like this .Its working now
And one doubt is it working for all users are only for owner of that dashboard..?

ThanQ

Thanks
Harish

kamlesh_vaghela · ‎03-15-2019

@harishalipaka

It's depending on which permissions you gave to dashboard. But I think you have a confusion bcoz here we have used loadjob. I have assigned read permission to all roles and I'm able to access the dashboard with user role.

How to add two query results in xml dashboard?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

How to add two query results in xml dashboard?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25